CVE-2023-46733

Summary

The vulnerability with CVE ID CVE-2023-46733 affects the Symfony PHP framework versions 5.4.21 and 6.2.7, and prior to versions 5.4.31 and 6.3.8. The issue lies in the `SessionStrategyListener`, which fails to migrate the session after every successful login when the user identifier remains unchanged but the token changes from partially-authenticated to fully-authenticated. This results in a potential session fixation vulnerability as the session id is not regenerated as it should be. The remediation for this vulnerability is to update Symfony to versions 5.4.31 or 6.3.8 or later, where Symfony now checks the type of token in addition to the user identifier before deciding whether to regenerate the session id. This vulnerability has a base severity of MEDIUM with an exploitability score of 2.8 and an impact score of 3.6, posing a potential risk to organizations using vulnerable versions of Symfony in terms of integrity impact on their sessions.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.